1

I have an application build in asp.net mvc.

This application stores sensitive encryption keys used by various methods.

However, somebody can easily read the security keys i use if they open the application dll using .NET Reflector

My question is:

The only solution of keeping these keys really secure is to use an obfuscation tool?

Are there other solutions?

dot net reflector print screen

Improve this question
5
  • 1
    those keys should be in the config Commented May 15, 2013 at 14:55
  • If somebody can get the application DLL, then they sure can read the web.config file Commented May 15, 2013 at 14:56
  • I don't understand. Who are you trying to hide the information from? External users? Users inside your organization? It is a web application, nobody outside your organization can even access the dll. Commented May 15, 2013 at 14:57
  • Possible Duplicate: stackoverflow.com/questions/2528405/… Commented May 15, 2013 at 15:00
  • @ShaiCohen: I am trying to hide the information from hackers access :). The application has sensitive data that i can't let it easily be hijacked. Commented May 15, 2013 at 15:02

1 Answer 1

Reset to default
3

You can encrypt and decrypt them using DPAPI (ProtectedData class in .NET).

Since this is a web app, you can even easier and transparently encrypt the web.config or sections of it

See Encrypting Web.Config

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I know this is crazy, but if i use DPAPI to encrypt/decrypt web.config file, then the encryption algorithm can be also stolen?
If you use DPAPI to encrypt the web.config, you can encrypt it so that only the user that your website runs under can decrypt it. This means that for someone to steal your encryption algorithm, they would have to be able to login as the account that your website runs under, and that you can make very difficult

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.